Support
- Advanced Backup
- Client Side
- Cloud Enterprise
- ColdFusion
- Control Panel
- cPanel
- Customer Portal
- DNS Information
- Dedicated Servers
- DirectAdmin
- Domain Name
- dotDefender
- Dreamweaver
- FileCatalyst
- Front Page
- FTP
- General Information
- Hosted Exchange & SharePoint
- IIS6
- IIS7
- Juniper Netscreen Firewalls
- Linux
- List Server
- MIVA Merchant
- MySQL
- Patching / Server Updates
- phpMyAdmin
- Plesk
- Policies and Procedures
- Premium Spam Filtering
- Programming
- Ruby on Rails
- Search Engine Submission
- SharePoint 3
- SharePoint 2010
- SiteDesigner
- SmarterMail 3
- SmarterMail 4
- SmarterMail 5
- SmarterMail 6
- SmarterMail 7
- SmarterStats
- SmarterTrack
- SQL Server
- Secure Socket Layer (SSL)
- Uploading Your Website
- Video Tutorials
- Windows Server 2003
- Windows Server 2008
- Web Design
- WordPress
- Advanced Monitoring
- MediaWiki
- Enkompass
- Microsoft Outlook 2010
- Android
- Outlook Web Access
- Critical Availability Service
- NAS Data Transfer
- Customer Portal Demos
- Joomla
- Moodle
- Cloud Dedicated
- Gallery CMS
- phpBB
- Standard Monitoring
- Righteous Restore
- NAS (Network Attached Storage)
- Networking
- SmarterMail 8
- PCI Security Scan
- LinkTiger
- Windows Cloud VPS
- Linux Cloud VPS
- Linux VPS
- Windows VPS
- Hyper V
- ENSIM
- Alert Logic
- Webmin
- e107
- Vbulletin
- VPN
- Visual Vault
- Mozilla Thunderbird
- PyroCMS
- Active Directory
- Vmware Related
- Drupal
How do I protect my ASP.NET code from a SQL Injection?
The following article explains how to protect your ASP.NET code from a SQL Injection. The recent injection attacks that have been seen against ASP and ASP.Net coded sites takes advantage of vulnerabilities in improperly coded sites. These attacks can be mitigated by simply running any user input that can come in contact with the database through a sanitization process, and this does not apply to .Net and ASP code but any language. Below are examples of how to protect your code from Injection attacks.
The following are a few techniques you can use to protect your code from Injection attacks:
Write your dynamic queries using parameterized queries
Dim SSN as String = Request.QueryString("page")
Dim cmd As new SqlCommand("SELECT title, content FROM page WHERE p_id = @p_id")
Dim param = new SqlParameter("p_id", SqlDbType.Int)
param.Value = SSN
cmd.Parameters.Add(param)
Set the length of the input data
If you know that the length of the input data will not be longer than a set amount then you should constrain it to that length. In this case we are going to constrain the page length to 4 characters which will give us up to 9999 pages.
Dim page_num as String = Request.QueryString("page")
Dim cmd As new SqlCommand("SELECT title, content FROM page WHERE p_id = @p_id")
'Here we are setting the max length to 4 characters
Dim param = new SqlParameter("p_id", SqlDbType.Int, 4)
param.Value = page_num
cmd.Parameters.Add(param)
Sanitize any escape characters from the SQL query
Dim page_num as String = SafeSQLLiteral ( Request.QueryString("page") )
Dim cmd As new SqlCommand("SELECT title, content FROM page WHERE p_id = @p_id")
Dim param = new SqlParameter("p_id", SqlDbType.Int, 4)
param.Value = page_num
cmd.Parameters.Add(param)
Private Function SafeSQLLiteral(ByVal inputSQL as String) as string
Return inputSQL.Replace("'", "''");
End Function
More information and code examples available at:
- Coding techniques for protecting against SQL injection - http://forums.asp.net/t/1254125.aspx
- Protect From SQL Injection in ASP.NET - http://msdn.microsoft.com/en-us/library/ms998271.aspx
- SqlDbType Enumeration - http://msdn.microsoft.com/en-us/library/system.data.sqldbtype.aspx
- SqlParameter Class - http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlparameter.aspx?wt.slv=rightrail